Re: blocking / mount using containers
On 07/10/2018 10:00 AM, Mclain, Warren wrote: I am trying to find a solution for blocking the mounting of / from containers. This is a major security hole for Docker and all of those types of applications. I found the mount_anyfile Boolean but nothing that digs into that to show how to disable specific mountings. Looking for any information that would help the container community in general. This seems mighty arbitrary. I would think you would want to block lots of directories from being mounted into the container in addition to /, /home, /var, /etc? for example. What tool are you using, and what access to you want to grant to your users? thanks ___ Warren McLain Enterprise Engineering Services IEI Foundation Engineering - Compute, Optum Technology warren_mcl...@optum.com Office: 763-744-3107 This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately. ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov. ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: blocking / mount using containers
On 07/10/2018 10:00 AM, Mclain, Warren wrote:
> I am trying to find a solution for blocking the mounting of / from
> containers. This is a major security hole for Docker and all of those types
> of applications.
>
>
>
> I found the mount_anyfile Boolean but nothing that digs into that to show
> how to disable specific mountings.
>
>
>
> Looking for any information that would help the container community in
> general.
Not sure if this answers your question, but Fedora/RHEL ships with a container
policy that should already protect the host OS filesystem from the containers.
Even if you mount / into the container when you create it, it isn't writable
due to SELinux policy, e.g.
$ sudo docker run -v /:/mnt -i -t fedora /bin/bash
[root@fb83953335bb /]# cd mnt
[root@fb83953335bb mnt]# cat etc/shadow
cat: etc/shadow: Permission denied
[root@fb83953335bb mnt]# touch foo
touch: cannot touch 'foo': Permission denied
[root@fb83953335bb mnt]# exit
$ sudo ausearch -i -m AVC -ts recent
type=PROCTITLE msg=audit(07/10/2018 12:40:11.083:870570) : proctitle=cat
etc/shadow
type=PATH msg=audit(07/10/2018 12:40:11.083:870570) : item=0 name=etc/shadow
inode=1311125 dev=fd:01 mode=file,000 ouid=root ogid=root rdev=00:00
obj=system_u:object_r:shadow_t:s0 nametype=NORMAL cap_fp=none cap_fi=none
cap_fe=0 cap_fver=0
type=CWD msg=audit(07/10/2018 12:40:11.083:870570) : cwd=/mnt
type=SYSCALL msg=audit(07/10/2018 12:40:11.083:870570) : arch=x86_64
syscall=openat success=no exit=EACCES(Permission denied) a0=0xff9c
a1=0x7fffe6c7b92f a2=O_RDONLY a3=0x0 items=1 ppid=1992 pid=2044 auid=unset
uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
tty=pts3 ses=unset comm=cat exe=/usr/bin/cat
subj=system_u:system_r:container_t:s0:c138,c987 key=(null)
type=AVC msg=audit(07/10/2018 12:40:11.083:870570) : avc: denied { read } for
pid=2044 comm=cat name=shadow dev="dm-1" ino=1311125
scontext=system_u:system_r:container_t:s0:c138,c987
tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=0
type=PROCTITLE msg=audit(07/10/2018 12:40:19.859:870580) : proctitle=touch foo
type=PATH msg=audit(07/10/2018 12:40:19.859:870580) : item=0 name=/mnt inode=2
dev=fd:01 mode=dir,555 ouid=root ogid=root rdev=00:00
obj=system_u:object_r:root_t:s0 nametype=PARENT cap_fp=none cap_fi=none
cap_fe=0 cap_fver=0
type=CWD msg=audit(07/10/2018 12:40:19.859:870580) : cwd=/mnt
type=SYSCALL msg=audit(07/10/2018 12:40:19.859:870580) : arch=x86_64
syscall=openat success=no exit=EACCES(Permission denied) a0=0xff9c
a1=0x7ffc7550f932 a2=O_WRONLY|O_CREAT|O_NOCTTY|O_NONBLOCK a3=0x1b6 items=1
ppid=1992 pid=2053 auid=unset uid=root gid=root euid=root suid=root fsuid=root
egid=root sgid=root fsgid=root tty=pts3 ses=unset comm=touch exe=/usr/bin/touch
subj=system_u:system_r:container_t:s0:c138,c987 key=(null)
type=AVC msg=audit(07/10/2018 12:40:19.859:870580) : avc: denied { write }
for pid=2053 comm=touch name=/ dev="dm-1" ino=2
scontext=system_u:system_r:container_t:s0:c138,c987
tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=0
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
blocking / mount using containers
I am trying to find a solution for blocking the mounting of / from containers. This is a major security hole for Docker and all of those types of applications. I found the mount_anyfile Boolean but nothing that digs into that to show how to disable specific mountings. Looking for any information that would help the container community in general. thanks ___ Warren McLain Enterprise Engineering Services IEI Foundation Engineering - Compute, Optum Technology warren_mcl...@optum.com Office: 763-744-3107 This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately. ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
